WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#29217 closed defect (bug) (fixed)

HHVM Fatal error with hash_equals() on WordPress 3.9.2

Reported by: kinstahosting Owned by: nacin
Milestone: 4.0 Priority: normal
Severity: normal Version: 3.9.2
Component: General Keywords: has-patch
Focuses: Cc:

Description

The hash_equals() function introduced in r29382 causes lots of fatal errors with HHVM 3.2. It usually happens with custom themes and/or plugins, log says:

\nFatal error: Argument 2 passed to hash_equals() must be an instance of string, null given in /var/www/xyz.com/wp-includes/pluggable.php on line 1662

PHP fails but only issues a warning in these cases, HHVM on the other hand dies.

Is there something we can do about this, or should I pursue a request for the HHVM team to change it from fatal error to a warning too?

Attachments (1)

29217.patch (412 bytes) - added by ocean90 3 years ago.

Download all attachments as: .zip

Change History (5)

@ocean90
3 years ago

#1 @ocean90
3 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 4.0

The error comes from wp_verify_nonce(), see tags/3.9.2/src/wp-includes/pluggable.php#L1662, where $nonce seems to be null.

Before [29384] $nonce was used inside the condition and is now passed to hash_equals(). I think we should bail earlier, when $nonce is empty, see 29217.patch.

#2 @nacin
2 years ago

  • Owner set to nacin
  • Status changed from new to accepted

#3 @nacin
2 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 29620:

Require a non-empty $nonce value in wp_verify_nonce().

props ocean90.
fixes #29217.

#4 @nacin
2 years ago

[29620] specifically adds a unit test that would fatal in HHVM without the patch.

I imagine this would happen pretty commonly when wp_verify_nonce() is passed something from GPC that isn't set.

Note: See TracTickets for help on using tickets.